A Full Recap of Salesforce Supply-Chain Nightmare: How One Breach Impacted 700+ Organizations

In August 2025, attackers exploited OAuth tokens from Salesloft’s Drift integration to infiltrate hundreds of Salesforce customer environments, triggering one of the largest SaaS supply-chain breaches in recent memory. Google’s Threat Intelligence Group attributed the campaign to UNC6395, while a parallel vishing campaign by cybercrime groups compounded the chaos. The blast radius? 700+ organizations, including major tech and cybersecurity firms. This wasn’t a Salesforce core vulnerability, infact it was a supply‑chain compromise that turned a trusted SaaS integration into a backdoor.

How It Happened

Initial foothold: Attackers compromised Salesloft GitHub repos (Mar–Jun 2025), laying groundwork for token theft.
OAuth abuse: In August, stolen Drift OAuth tokens enabled API-level access to Salesforce orgs, bypassing MFA.
Data exfiltration: Massive SOQL queries targeted Accounts, Opportunities, Cases, and embedded secrets like AWS keys and Snowflake tokens.
Scope: Over 700 organizations impacted, including Cloudflare, Zscaler, Palo Alto Networks, CyberArk, Cisco, Tenable, Proofpoint, and more.

Timeline Recap

Here is a brief recap of the timelines of the data breach:

Mar–Jun 2025: Salesloft GitHub compromise.
Aug 8–18: OAuth token abuse → Salesforce data theft.
Aug 20: Drift tokens revoked; AppExchange removal.
Sep 3: Drift taken offline for hardening.
Oct 7: Salesforce refuses ransom demand.
Oct 9–10: FBI and French authorities seize BreachForums infrastructure used for extortion.

Who Was Impacted?

Public disclosures and independent tracking list hundreds of organizations, with many emphasizing that only CRM data (not product systems) was affected. Confirmations include Cloudflare, Zscaler, Palo Alto Networks, and others; Cloudflare published a detailed incident timeline showing exfiltration Aug 12–17 following Aug 9 reconnaissance.

Security trade press and tracking sites also list numerous affected vendors—BeyondTrust, CyberArk, Proofpoint, Tenable, Qualys, Rubrik, JFrog, Elastic, Workday, Workiva, Fastly, PagerDuty, Nutanix, and more.

Earlier in 2025, vishing‑led attacks separately hit large brands—Google, Cisco, Adidas, Qantas, LVMH subsidiaries, Allianz Life—by tricking users into connecting malicious apps or installing a trojanized Data Loader.

What data was exposed? Commonly, business contact records and case data, plus in some cases embedded credentials (API keys, Snowflake tokens, cloud creds) found in support communications—material that increases the risk of follow‑on credential stuffing, spear phishing, and lateral compromise.

The Aftermath: ShinyHunters and the Extortion Drama

The breach didn’t end with token revocation—it spiraled into a high-stakes extortion campaign led by ShinyHunters, operating under the alias Scattered Lapsus$ Hunters alongside members of Lapsus$ and Scattered Spider.

October 10 Deadline: ShinyHunters threatened to leak 1 billion records unless Salesforce paid by 11:59 PM ET, Oct 10. Victims included FedEx, Disney, Google, Marriott, Toyota, Chanel, and more.
FBI Intervention: Just hours before the deadline, the FBI and French cybercrime units seized BreachForums domains and backend servers, displaying seizure banners across the clearweb. All database backups and escrow systems were destroyed.
Leaks & Chaos: Despite takedowns, ShinyHunters leaked partial data from six companies (Qantas, Gap, Vietnam Airlines, Albertsons, FujiFilm, Engie Resources) via dark web mirrors. Then, abruptly, they declared the campaign “over”, citing inability to continue after FBI disruption.
Retreat & Pivot: In a Telegram post, ShinyHunters announced “The era of forums is over”, signaling a shift to Telegram-based extortion and even teasing an Extortion-as-a-Service (EaaS) model for 2026.

Why This Incident Matter?

OAuth is powerful—and dangerous when stolen. Once a third‑party app has broad scopes, a stolen token acts as a standing SSO that skirts interactive authentication and many MFA controls. The non‑human identities behind SaaS‑to‑SaaS integrations often lack the same visibility and guardrails as users, allowing stealthy, API‑driven data theft that traditional endpoint‑centric controls may miss.
Supply‑chain blast radius. A compromise of one SaaS vendor (Drift) cascaded into hundreds of customer environments—amplifying the attacker’s reach. This underlines the need for least‑privilege scopes and continuous posture monitoring of connected apps.
Two overlapping campaigns. Organizations faced both a third‑party token campaign (UNC6395) and a human‑driven vishing campaign (UNC6040). Together they show that identity and integration are the new perimeter.
Extortion pressure. By October, actors publicly threatened to leak ~1 billion records tied to Salesforce customer data and demanded payment—Salesforce said it would not negotiate or pay.

Recommendations: What security teams should do?

Audit and restrict connected‑app scopes
- Review Salesforce Connected Apps OAuth usage; remove over‑privileged tokens and enforce Admin approved users. Where possible, enforce IP restrictions and reduce session lifetimes for API sessions.
Hunt for exposed secrets in CRM data
- Search for patterns like AKIA, snowflakecomputing.com, and common “password/secret/token” markers; rotate any credentials discovered.
Investigate August 2025 activity windows
- Review Event Monitoring logs for unusual SOQL queries, UniqueQuery spikes, and activity from the Drift connection user; match against IoCs.
Revoke/rotate tokens and API keys
- Remove residual Drift tokens; re‑authenticate integrations only after scope review and IP guardrails.
Harden against vishing‑led intrusions
- Train help desks/admins on OAuth consent social engineering; verify any support calls claiming to be from IT/Salesforce; block self‑service connected‑app installs. The FBI Flash details TTPs for UNC6040.
Monitor for secondary attacks
- FINRA warns that stolen contact data raises risks of credential stuffing and spear phishing; increase mail and identity telemetry for impacted populations.

ThreatResponder®: Detect and Protect Against Advanced Cyber Threats

ThreatResponder by NetSecurity is an all-in-one endpoint security platform designed to detect, prevent, and respond to advanced cyber threats. As cyber threats continue to evolve, the need for robust, intelligent, and integrated defense platforms becomes paramount. ThreatResponder by NetSecurity stands out as a solution that not only meets technical requirements but also empowers CISOs to lead resilient, secure organizations.

Its proven performance, comprehensive capabilities, and strategic value make it a cornerstone of modern cybersecurity programs. In a world where seconds matter and clarity is rare, ThreatResponder delivers both—earning the trust of security leaders across critical infrastructure sectors.

Start a Free Demo

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).